"We don’t always install hotfixes; We install hotfixes if that specific problem is experienced in the environment. Security and Critical patches take precedence and, in the case of servers, are usually the only update classification we install. KBxxxxxx is entirely optional and doesn’t show up in the WSUS catalog, another reason why we never caught wind of it."

Regarding item #1: "We install hotfixes if that specific problem is experienced in the environment".

Answer #1: The truth is, you probably have the issue, and just haven’t gotten to it.

It requires a lot of time investment by using advanced tools such as Sysinternals (ProcMon/ProcExp/ProcDump/VMMAP/RAMMAP, etc…)/ETL tracing (WPRUI/WPR/Xperf), WinDbg (or DebugDiag)/Message Analyzer (or Wireshark or Netmon) and other logs.

e.g. When troubleshooting a high CPU in LSASS on a DC, we created an automated method of catching the issue while the problem was occurring.

1. We had to find all the data (13 different data sets) that we needed to collect to get to the root cause.

2. We had to translate the UI based information to a command line that would run in a batch/script (Powershell/VB).

3. We then had to test the data capture and made sure that it worked.

All of this, it took 3 days. And this is just capturing the data which is the easiest part of the troubleshooting.

or

you are understaffed and are not able to take the time to fix the issue.

A lot of companies just end-up rebooting the system or rebuilding the system(s).

Regarding item #2: "Security and Critical patches take precedence and, in the case of servers, are usually the only update classification we install."

Answer #2: Probably the reason that your clients and servers are not 'stable'.

"A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem."

Answer #4: It's a 'boiler' template. A lot of times, the same binary has been updated (superseded) multiple times.

Let me give you a real world example. A Premier customer opened a case due to their server bugchecking (a.k.a. BSOD), they got a non-security update created for them. The company was big enough and segmented enough, that their peers opened 11 more cases (yup, a total of 12 cases) with the same bugcheck and the fix was the same. So why wouldn't you have deployed it to all the server in the environment?

Q: How do I roll these fixes out?

A: Like you would have done in the past when you were doing a “Service Pack”. Target the IT folks first. Then try a few of your power users in each department in your company. Never have your C-Level executives test, unless you want to spend time working on executive escalations. And then continue with the phased deployment.

[Solution]

In Windows 10 and Windows Server 2016 and newer, that is why Windows As A Service (WaaS) is there.

You get all the "Security updates" and "Non-security update" via the cumulative rollup.

Q: Ok, I still have Windows 7 SP1 and Windows Server 2008 R2, 2012 and 2012 R2 based system.

A: If you are Microsoft Premier customer, there is an engagement called Proactive Operations Program (POP) - “Software Update Technical Implementation”. Please reach out to your Technical Account Manager (TAM) for more information (datasheet).